APT10 (a.k.a. menuPass, Stone Panda, Potassium, Cicada, or Red Apollo) has been identified in an attack on Japanese organizations that are high priority targets for espionage campaigns. APT10 has been constantly iterating on their custom backdoor malware LODEINFO, optimizing and increasing evasion tactics to go undetected.
Starting in March 2022, APT10 shifted their infection vector of choice to include a self-extracting RAR file delivered by custom crafted spear-phishing attacks that ultimately result in the installation of K7SecuritySuite antivirus. This antivirus software contains a flaw that allows a threat actor to employ a technique known as DLL side-loading to load their own malicious DLL file that will be executed when the antivirus software is launched. Because legitimate antivirus software looks malicious by nature, often needing to operate at the kernel level, other security software may not detect actual malicious activity associated with K7SecuritySuite.
In June 2022, Kaspersky discovered another variant of custom tools used by APT10. In this instance, instead of using DLL side-loading and self-extracting RAR files, the threat group uses file-less malware downloaded as the result of a malicious Microsoft Office document embedded with VBA macros being opened by a user. In the latest version of the LODEINFO, the number of commands available to the malware operators was reduced, possibly to create a leaner payload. The functions available in the latest version are as follows:
- Show embedded backdoor command list
- Download a file from C2
- Upload a file to C2
- Inject the shellcode into memory
- Kill a process using a process ID
- Change directory
- Send malware and system information
- Take a screenshot
- Encrypt files by a generated AES key
- Execute a command using WM I
- Config (incomplete implementation)
Analyst Notes
DLL side-loading remains a popular technique for malware developers because it offers a lot of potential for detection evasion by masking its execution with legitimate software execution. This problem can be approached in a number of ways. Organizations may find application whitelisting and disabling installation by unprivileged users via group policy to be useful in mitigating this threat. EDR and SIEM tools also provide very valuable insight into anomalous software installations and executions in an organization’s environment. From a software development standpoint, Microsoft has a very useful article describing best practices when creating software that loads DLL files: https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1
In the case of the delivery of the file-less version of LODEINFO via VBA scripts in Office documents, there are some mitigations in place by default in Windows such as the Mark-of-the-Web security feature that will cause a warning to be displayed to the user upon opening an Office document containing macros. It is recommended that organizations review the usage of Microsoft Office documents with VBA scripts in their environments, and determine the possibility of simply disabling macros in Office documents entirely via group policy.
https://www.bleepingcomputer.com/news/security/hacking-group-abuses-antivirus-software-to-launch-lodeinfo-malware/
